It's a hack. A nasty hack. The worst kind of hacka UNIX hack.
But we had the right tools! We had a security program! This shouldn't have happened to us! We were ready!
And in 20 minutes after the damage becomes apparent, everyone realizes they weren't hitting on all cylinders: What went wrong? What do we do to clean up?
Consultants get nice engagements sometimes, but this one won't be. It'll be a week of explaining to the auditors, the management, and even most of the skilled administrative staff. Call it "UNIX Security 101." In some cases, it'll even be "Introduction to UNIX."
UNIX Security Issues
UNIX is a great operating system, with an incredible number of toolsfor both security diagnostics and hacking. Add another year or so on top of the stiff learning curve for UNIX itself to even begin learning UNIX security. But give up trying to learn every single exploit against UNIX; consider the basics first.
The best UNIX lessons come from looking at other people's errors, I've determined from 10 years in information security. For example, you might think that UNIX is a lot easier to learn than in times past because there are so many nice administrative interfaces. (X Windows is now the rule rather than the exception.) With the growth of Linux, many books are available for UNIX. Things are better, but common problems remainthe biggest of which is security. People get distracted by the number of exploits.
Talk UNIX and security and you'll encounter many surprises. Auditors focus on papers and processes, discussing corporate-approval processes with triplicate forms that are never circumvented. System administrators point out the specifics of NFS on AIX (while the HP-UX administrator looks on in amazement). Windows administrators run some alien adaptation of NFS on their servers to share files, but mention Windows security and they come over to jabber about NTLM. The UNIX guys are debating shadow passwords, even though their servers run Samba with who knows what settings. Both groups share common accounts and passwords, and any security problem is devastating to both platforms. But instead of talking, they argue in some twisted technological holy war.
All the checklists, tools, and single-point solutions in the world won't get this problem fixed. Until people learn the top-level principles of UNIX hackingthe end goal, banging passwords, and process stealingUNIX security efforts will never come together. It's one linked enterprise, and until all the boxes handling information meet baseline expectations, security efforts are incomplete at best.
This article focuses on the basics. Every few weeks a new exploit comes out; knowing them all is impossible. How do you interpret odd settings at a client site? Is this a misconfiguration or a hack? Knowing the basics behind UNIX security will guide you.
Let's enter the world of a security investigation, with events taken from several actual investigations. The details are obscured to protect identities (and deflect possible legal actions against the author).